Could you give us a little history of typical Intrusion Detection System (IDS) security and discuss your solution?
For the past 40 years, the goal of intrusion detection has been to monitor network assets to detect anomalous behavior and misuse for perimeter defense. In the beginning of 1980, James Anderson's paper Computer Security Threat Monitoring and Surveillance, written for a government organization, introduced the notion that audit trails contained vital information that could be valuable in tracking misuse and understanding user behavior. With the release of this paper, the concept of "detecting" misuse and specific user events emerged.
In 1983, SRI developed the Intrusion Detection Expert System (IDES) that analyzed audit trails from government mainframe computers and created profiles of users based upon their activities. In 1988, Lawrence Livermore [National] Laboratory produced an IDS that analyzed audit data by comparing it with defined patterns. In the '90s, the first network security management systems (NSM) were deployed in major government installations where network traffic analysis provided massive types of information. In 1997, the IDS market emerged [and] the security market leader, ISS, developed a network intrusion detection system called RealSecure.
A year later, Cisco recognized the importance of network intrusion detection and purchased the Wheel Group, attaining a security solution they could provide to their customers. Similarly, the first visible host-based intrusion detection company, Centrax Corp., emerged as a result of a merger of the development staff from Haystack Labs. New emerging application intrusion detection, heuristics and rules-based intrusion detection are incorporating artificial intelligence; however these emerging approaches are still based on James Anderson's notion that audit trails contain vital information that could be valuable in tracking misuse and understanding user behavior.
My patented invention deviates from James Anderson's approach entirely by using causal audit technology reverse process monitoring (RPM) to check the validity of an event (activity) with respect to the logical business process map. With this approach, business process security and quality issues can now be prevented and business ... impacts dramatically mitigated.
What are some of the weaknesses of current IDS solutions?
Current IDS solutions have high instances of false positives and true negatives and are extremely costly to maintain. Current IDS solutions were not designed for today's hyper connected business processes with high volume of instances. Attempting to detect misuse or anomalous behaviors requires infinite numbers of rules, patterns or algorithms, which is not possible, and is therefore the cause of the present day issue of cyber security and environment impacts. The current IDS solutions have focused [on] making the core methodology more efficient but not changing it to address the current market needs.
Your approach to auditing, detecting and protecting against cyber security breaches is different. You actually don't look at the data or networks, you look at an anomaly action or event. Will you explain this?
Every business is governed by a set of business processes that are somehow defined, implemented, executed and maintained. The success of every company depends on how well it manages the lifecycle of its process. Business people have little control and visibility into the business process workings that they own and are responsible for. Essentially, in our solution, an anomalous event occurs when the event does not the follow the logical business process map; i.e. there is no need for rules, patterns or algorithms to be defined. If an event causation history does not match the business process map, then we generate an alert for cyber command. In unusual cases where the logical business process map is unknown, our solution can reconstruct the business process map automatically for the organization.
You can watch both people’s actions and digital information streams in real time. Will you explain why it is critical to be watching for security breaches at the business process and event level?
The act of observing or watching is always in the present. In the observing process, the activities are being watched with respect to the known logical business process. If the anomaly is known in the present, then it can be acted upon immediately and its impacts mitigated. The current IDS systems are predicting anomalies based on past analysis of data, and therefore cannot act on anomalies in the present. In other words, the current IDS systems require the full data record captured prior to analyzing the data element relationships within the data record for anomalies. With our solution, a single event (live data element) can be checked for anomaly instantly and acted upon. It is important to note that, with current IDS solutions, the context is not the business process but rather the IT analyst or mathematicians who generate the rules, patterns and algorithms.
Where has your invention been tested and when were you patented?
Decision-Zone's solution has been tested by IBM Research Labs, IBM Federal Labs, Oracle and PwC using various pilot projects. Decision-Zone received a patent in June 2010 by USPTO [United States Patent and Trademark Office] (7908160).
Are there any cost benefits to your solution?
We have done a business case that compares our solution against current IDS solutions. In the pre-1990s, the cost/anomaly was approximately $100, with current most advanced IDS solutions; the cost has gone down to about $33/anomaly. Our solution has brought the cost down to $1/anomaly.
There also is a huge business process savings benefit when deploying anomaly detection security architectures. When you are using real-time event anomalies to view, audit and predict potential business processes breaches, you can also use the same information to improve your business processes. These savings could actually eliminate your costs of security and change them into profit centers.
What are the roadblocks to getting your solution deployed?
Getting people to think differently on how they are currently doing things is always problematic. We also have the issue existing legacy IDS architectures that don't want to change including established profit centers and products they don't want to give up. Combine this with organization bureaucracies in both government and business, and the roadblocks become more of a problem than solving the security issues. Hackers can not only react quickly due to not playing buy the rules, but can use the information published in government and industry compliance, certification and mandate security to target their security attacks.
Our solution is very different from the current IDS solutions available today. Unfortunately, there is limited awareness about the benefits of our new ways of offering true cyber security. As we gain exposure and customers understand, though, they will realize that this may be the only way to secure both man and machine actions in the digital age. When people begin to understand we are securing business processes not just data, the road blocks will fall.
Where do you see the future to be in achieving true cyber security?
We need to stop looking at zeros and ones and recognize that a digitally enhanced action is just an extension of a human action, and they must be viewed simultaneously if we are to achieve true security. The past IDS solutions have been based on detection of historical digital network and database numbers. Security in the future will be based on predictive anomalies based on yeses. When you base security architecture on yes actions, you not only refine your current detection capabilities, but add quality assurance to your business processes. Detecting yes action anomalies is the IDS of the future.
Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.
Image courtesy of Shutterstock
